Get Alerted: to get immediate alerts of high priority security issues, please join the low-volume foswiki-announce list - details at MailingLists

plain text

Security Alert: Windows Apache server configured using .htaccess files can be compromised.

Foswiki recommends use of Apache configuration files for configuring the server whenever possible. The example files included with Foswiki, and any configurations generated by the ApacheConfigGenerator all specify AllowOverride None for the /pub directory. If these examples are not used, or the server requires use of .htaccess files due to other site requirements, then Windows hosted Apache servers could be vulnerable.

Note: This alert is different from the TWiki version. Foswiki recommends that this issue be corrected solely with a configuration change. Software patching is not required. On most platforms there is no need to restrict files named with a trailing dot.

Foswiki has limited vulnerability to this attack vector. Systems are only vulnerable when the following conditions exist:

• Foswiki is running on a Windows + Apache web server (Linux based installations are not vulnerable)
• AND the Apache server has been configured to enable .htaccess file processing in the pub/ directory (not recommended)

Severity Level

Severity 1 issue: The web server can be compromised

The severity level was assigned by the Foswiki SecurityTaskTeam as documented in SecurityAlertProcess

MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7237 to this vulnerability.

Vulnerable Software Versions

• Foswiki 1.0.0, Foswiki 1.0.0-beta1, Foswiki 1.0.0-beta2, Foswiki 1.0.0-beta3, Foswiki 1.0.1, Foswiki 1.0.2, Foswiki 1.0.3, Foswiki 1.0.4, Foswiki 1.0.5, Foswiki 1.0.6, Foswiki 1.0.7, Foswiki 1.0.8, Foswiki 1.0.9, Foswiki 1.0.9-rc1, Foswiki 1.0.9-RC2, Foswiki 1.0.10, Foswiki 1.0.10-rc1, Foswiki 1.1.0, Foswiki 1.1.0-beta1, Foswiki 1.1.0-RC1, Foswiki 1.1.1, Foswiki 1.1.2, Foswiki 1.1.3, Foswiki 1.1.3-RC1, Foswiki 1.1.4, Foswiki 1.1.4-RC2, Foswiki 1.1.5, Foswiki 1.1.6, Foswiki 1.1.7, Foswiki 1.1.8, Foswiki 1.1.9

To be fixed in Foswiki 2.0

Attack Vectors

Use an HTTP POST request towards a Foswiki on Windows server to upload a specially named file (typically port 80/TCP). Prior authentication is typically required.

Impact

A remote attacker can upload a '.htaccess' file that may make uploaded files executable on the server.

Details

.htaccess files allow server options and access rules to be overridden "in-directory". Any setting of "AllowOverride" other than "None" in the Apache configuration will cause Apache to look for and apply overrides from .htaccess files located in the directory of the file that it is about to process. If there is any path for a remote user to upload an .htaccess file, then the server is potentially subject to compromise.

Foswiki provides a default {UploadFilter} that blocks attempts to upload the .htaccess file. The vulnerability occurs because the Windows file system will strip any file of the "trailing dot" when the file is written to disk.

• Attacker creates a .htaccess file that enables execution of a particular file
• Attacker uploads the file as .htaccess. (note trailing dot)
• Foswiki UploadFilter fails to block the file, due to the trailing dot.
• Foswiki saves file to disk, Windows writes the file named .htaccess stripping the trailing dot
• Attacker then uploads a file which can then be executed due to the rules override.

Countermeasures

No action is necessary on non-Windows server platforms

• Update the Foswiki {UploadFilter} configuration to block files with a trailing dot. (Note the added ? following the |cgi) )

"Security and Authentication" Section,

• "Environment" Tab, Reveal the "Expert" settings and change the {UploadFilter} setting, adding a ? after the cgi).

If configure is not convenient, it is also possible to update the lib\LocalSite.cfg file directly.

Before: 
     $Foswiki::cfg{UploadFilter} = '^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi))$';
After: 
     $Foswiki::cfg{UploadFilter} = '^(\\.htaccess|.*\\.(?i)(?:php[0-9s]?(\\..*)?|[sp]htm[l]?(\\..*)?|pl|py|cgi)?)$';

After this change is applied, the file .htaccess. will be renamed to .htaccess..txt during upload, and would be ignored by Apache.

Other recommendations

• Review Apache configuration files for possible misconfiguration:
  • The /pub directory should specify AllowOverride None
  • Look for any instances of the AccessFileName directive. If .htaccess has been changed to some other name, the UploadFilter must be changed to match that name.
• Find and remove any .htaccess files from directories below the /pub directory.
  • If any files are found, review the content of any other attachments that may have been made executable by that file.

Authors and Credits

• Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue with detailed description to the twiki-security@lists.sourceforge.net mailing list
• PeterThoeny for notifying the Foswiki project.

Action Plan with Timeline

• 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]
• 2014-10-07 - Peter Thoeny notifies Foswiki project and sends private alert to TWiki community.
• 2014-10-07 - GeorgeClark verifies issue.
• 2014-10-07 - GeorgeClark sends preliminary alert to Foswiki-announce list with recommended configuration changes.
• 2014-10-08 - GeorgeClark, CrawfordCurrie, MichaelDaum, JanKrueger review issue, agree that a code fix is not required. A simple configuration change is sufficient.
• 2014-10-08 - Security team creates advisory with hotfix

• TBD - Release Manager builds patch release (name)
• TBD - Send alert to foswiki-announce and foswiki-discuss mailing lists (name)
• TBD - Publish advisory in Support web and update all related topics (name)
• TBD - Reference to public advisory on Download page and Known Issues (name)
• TBD - Issue a public security advisory (vuln@secunia.com, cert@cert.org, bugs@securitytracker.com bugtraq@securityfocus.com full-disclosure@lists.grok.org.uk) (name)

• #Set ALLOWTOPICVIEW = SecurityGroup
• Set ALLOWTOPICCHANGE = SecurityGroup